Zero-day Exploits: Are You Prepared?

It seems that a number of these have surfaced in the past few months. The Remote Code Execution exploits are the most interesting - there is a kind of mystique about them - the idea of something slipping in without you noticing - like an intruder sneaking into your house while you are watching TV.

Looking at some of the recent exploits, there is a common pattern. Using the unionseek_wmf exploit as an example:

1) the exploit itself, finding a vulnerability (media file)

2) the downloading of a dropper (ioo.exe)

3) the dropper copies itself (bumxxx.exe) to another folder and installs other downloaders (voixxx.exe) from the internet

4) the downloaders begin to do their work - installing spyware, etc​

How are you prepared to handle something like this?

Ideally, I want to stop the exploit at 1): OS patches, browser security.

But should that break down, I want to stop the exploit at 2)

Because once the dropper is installed, usual detection methods may or may not stop the action.

In another recent experience, a person was infected with Spy Sheriff after clicking on a link in an IM received from her son (who also had the virus unknowingly). She said her AV was up to date.

In an article posted by ronjor in another thread was this statement:

"Lindstrom noted that the long-term answer to dealing with what he called this type of "flotsam and jetsam" of constant security alerts is to install host intrusion prevention software to designate what software is allowed to run on a system and what it's allowed to do."

Intrusion prevention software that creates a White List of executables already installed will prevent any other executable (trojan dropper) from being allowed to download/install - at the 2) point above.

It's like having a guard at the gate, who has a list (White List) of authorized people. No one else is permitted in.

In the case of the person above, the exploit worked, installed the dropper, and the AV didn't catch it. That is, the list of known threats (Black List) did not include information about the new exploit.

So, how are you prepared for this type of intrusion?

Assume you are preparing in case the exploit is not blocked at 1) above: What do you have in place to take over?

I want something that will block at 2).

My Image from the other thread:
Http://www.rsjones.net/unionseek_wmf/dl_2.gif


regards,

-rich
________________
~~Be ALERT!!! ~~

 

Hmmmm... sorry, I do not think an execution blocker only is quite enough protection for a 0-day exploit that doesn't get caught by the antivirus (or any signature-behaviour based protection). In fact, if this exploit had only destructive behavior, i.e. overwriting system files with random junk, an execution blocker would have been useless (yes I know you also use Deep Freeze btw).

I do like the idea of executing everything that's not trusted in a sandboxed environment that denies at least (1) permanent writing to disk outside the sandbox and (2) obviously anything from working at kernel level, and with (3) the option to deny reaching outside the sandbox even for reading from files (this is the most difficult part, it is done in UNIX through chroot but nothing similar is supported in Windows, and it IS difficult to make many programs work in chroot environment in UNIX as well). Now, this, combined with execution and termination protection (a-la Process Guard), and with an obvious firewall seems a much mafer environment to me.

 

(1)+(2)+(3) closest fit is buffer zone. But it's no where has sophiscated, particularly for (3), which is envisioned as more a way to shield certain folders

 

Well, I tested the exploit in IE in Sandboxie + full Process Guard and Deep Freeze and I had no doubt it wouldn't get anywhere, but point (3) is what I would like the most because it would guarantee that the exploit just has no ability to communicate anything useful on the outside. Now imagine IE running in an environment where it can't launch or read anything unless it's present in the sandbox too. Now that would kill the "xploit" spyware scum dead in their tracks.

 

Uncheck Run Script Commands in the player.

Only associate those files you actually require to be played.

Make sure that your FW prompts for ANY App that attempts outbound.

Also set your DL to prompt you too.

As well as the above, i have Winsonar which White Lists, and is an Anti exe too.

I would think that something like AppDefend could help block attacks such as these.


StevieO

 

Some Proxomitron Filters I wrote:

The web filter will catch most .WMF images, but then there are those that are loaded through heavily encrypted JS files. This is where the Header filter comes in. It kills any connection to a URL with a .WMF extension.

Web Page Filter:

Header Filter:

 

I'm not following you here: how can there be any destructive behavior if the initial dropper is blocked from downloading?

BTW - sandboxed environment is ideal - any articles that do a comparison between the various products? In threads around here, I get snippits of information - I've read a few FAQs but would be nice to have a comparison.

==StevieO - about Winsonar, if you install a new program, is it automatically updated to the White List?


regards,

-rich
________________
~~Be ALERT!!! ~~

 

It's not blocked from downloading, it's blocked from executing by anti-executable, but an exploit could be constructed to overwrite system files instead of downloading a file. There was a IE vulnerability example a couple of years ago on Bugtraq that overwrote the notepad.exe Windows file and it was no different in behavior from this one, all you had to do was visit a web page. Yes, the new notepad.exe would have been blocked by anti-executable, but the original would have been gone.

Case in point, I ran this same exploit from yesteday on a different site that has picked it up (m.cpa4[dot]org... same rules as the other one, do not visit -- this is also a porn site anyway) and ~WRF0409.tmp was written in C: (I actually used Sandboxie so it was in its own directory, but it would have gone in C: if I didn't use Sandboxie). And this with Process Guard instructed to block all new and changed applications.

http://img511.imageshack.us/img511/1448/immagine9bw.gif

 

Rmus

Winsonar does NOT automatically update to the White List, thank goodness ! If it did that it wouldn't be very safe. It recognises the new exe and alerts you to it. All you have to do is click to allow it to be entered into your White list. Or you can go in and manually Enter/Delete/Update the list any time you choose.

If you are online, or offline, you can toggle and choose to kill ALL unknown processes automatically, or not. The option is there so you can DL and install things without them getting zapped Instantly, as it does !

It also has a very comprehensive set of Tools included such as

Port scanner, on demand or on alert

Registry checker, Autorun values

Find all chained processes ID's and parent ID's

Display all running processes

File finder

etc

If people havn't tried it yet then i can highly recommend it, and it's Free !

http://digilander.libero.it/zancart/winsonar.html


StevieO

 

I stand corrected: it does cache and then is blocked from executing. I was capturing screen shots so fast I didn't check. The blocking action, however, still keeps it in my point #2, that is, the dropper is blocked from doing anything.

I'm aware of the other types of exploits you mention, hence,

I wouldn't mess with these sites otherwise and I realize I'm limiting what I've said in this thread to the trojan-dropper malware that has been seen lately, and I should probably see about changing the title accordingly.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Added to my filter. Thanks.

 

How do I add the filter?

 

With the proper settings Maxthon users are protected.

Take a look here

 

You can either use the Proxo interface and add the filters line by line. Or you can open up default.cfg with Notepad and cut and paste Kye-U's filters (in the form they are quoted) into the proper places, save, then reload the configuration with the Proxo UI.

 

When ShadowUser is installed, I'm prepared, because it removes any change on my harddisk during the next reboot.

A blacklist of threats will always be INCOMPLETE because the source is unreliable (the bad guys).
Any AV/AS/AT/AK scanners and any shield, that uses blacklists can't be trusted.
You really have to love these scanners and shields, because love makes you blind.

A whitelist of good objects can be COMPLETE, because the source is reliable (the good guys).
If I would ever create a scanner, it would work with a definition database of the GOOD OBJECTS.
Any object on your harddisk, that does NOT exist in the definition database is reported by the scanner as dangerous.
But I don't think you need a scanner for this, there must be other methods.

 

Ok, I've just made a big discovery with Proxomitron.

Apparently it can match by Hex, which is significant, because I've written a filter that searches for the magic bytes for the .WMF file.

I am now certain Proxomitron can now act as a very strong workaround for this issue, by killing all .WMF files, by identifying them by their magic bytes.

If you've imported my Header filter, you can delete it. (And also delete the old Web Page filter.)

This filter now only kills infected .WMF (or any extension) files.

Here is the new Web Page filter:

Code:

[Patterns]
Name = "Kill Infected .WMF Files [Kye-U]"
Active = TRUE
URL = "$TYPE(oth)"
Limit = 5
Match = "[%01][%00][%09][%00][%00]"
Replace = "\k$ALERT(Infected .WMF File Killed on:\n\n\u)"

You must also import this Header filter to filter all file extensions:

Code:

[HTTP headers]
In = FALSE
Out = TRUE
Key = "URL: All File Extensions Force Filter (Out)"
URL = "*.*"
Replace = "$FILTER(true)"

 

Hi,

The problem with zero-day or zero-hour exploits is that it becomes a business
( http://www.zerodayinitiative.com/ ) and zero-days will certainly be more numerous in the future.
So it's really difficult to prevent such attacks, even if Intrusion Systems are much more armored than antivirus against these threats (which concerns mostly corporates environments).
That's why a white list protection (much more than the black list of scanners) is really interesting in this case.

For the RMUS' example, interesting alerts and examples (which can be provided via a free newsletter) can be found on Websense site: http://www.websensesecuritylabs.com/

A video of a recent example is available here: http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=385

Regards

 

Thanks again Kye-U. You Rock mate. We're not worthy we're not worthy....

 

Many thanks Mr. Wilders and Guessed.

My post has been updated, with a Header filter added. Without it, Proxomitron would not be able to filter .WMF files (or anything other than HTM(L), CSS or JS)

 

As I said try Bufferzone Home -free. Folders can be restricted so that they cannot be modified by programs running in the bufferzone. That is by default for all folders not in the bz.

In addition, folders can also be set to 'confidential' so they can't be read.
The default for this is pretty limited (mydoc), though you can easily set it up to be far more restricted.......

But seriously what you want is the allmighty coreforce

http://force.coresecurity.com/index.php?module=base&page=main

 

These are the most up-to-date Proxomitron filters. (You need Proxomitron in order for these filters to work)

By using these filters, you are able to kill WMF-Exploit Files, regardless of file extension.

It uses a Hex-matching method to match the identifying 5 bytes and kills the connection immediately upon detection and alerts you of the offending URL.

The header filter does allow Proxomitron to filter all file extensions, but the Web Page filter is very specific, and it only applies to files, not HTM(L), CSS, or JS files, so there will be little to no false positives.

You need BOTH filters to be able to kill WMF-Exploit Files.

Web Page:

Code:

[Patterns]
Name = "Windows: Kill WMF-Exploit Files [Kye-U]"
Active = TRUE
Limit = 5
Match = "[%01][%00][%09][%00][%00]"
Replace = "\k$ALERT(Infected WMF-Exploit File Killed on:\n\n\u)"

Header:

Code:

[HTTP headers]
In = FALSE
Out = TRUE
Key = "!-|||||||||||| URL: All File Extensions Force Filter {JJoe} (out)"
URL = "$FILTER(true)"

 

Yes! That seems to be close to what I was talking about. The fact that it uses OpenBSD code is really promising (I've been a OpenBSD user for years and I have never encountered a most stable and secure OS). I'll definitely give it a try.